On 1/14/19 5:30 PM, Uzor Ide via FreeIPA-users wrote:
Hello All,
I upgraded our ipa server and after the upgrade ipa won't start again.
further investigation shows that components of ipa starts
but pki-tomcatd@pki-tomcat.service appears to be where the issue lies.
checking the logs suggested that issue lies in the certificate database.
on checking the directory /etc/pki/pki-tomcat/alias with certutils
[namead@ipasvr01 alias]$ sudo certutil -K -d . -f pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
< 0> rsa 9bb20dbec9d8dd63e1db53b0662eaf37a1518bf9 ocspSigningCert
cert-pki-ca
< 1> rsa 49d9f7a5f5ab3ed93d4037676b1bf9e236b89d0f subsystemCert
cert-pki-ca
< 2> rsa df374a636d9a424aaefefc6367dcb868f82f536d Server-Cert
cert-pki-ca
*< 3> rsa 7cebd0bbadddd5e581c328a99982e0ef5172d61f (orphan)*
< 4> rsa 52839be82200bb2a9ff2034629c53cd90a0575a8
auditSigningCert cert-pki-ca
< 5> rsa c4a6d42c22a874a69231a2d7446bccfe9ce0cbaa caSigningCert
cert-pki-ca
Any help in the deleting the key would be appreciated.
The certutil command can delete a key from a NSS database (certutil -F
-k <id> -d /etc/pki/pki-tomcat/alias). But before you delete this
private key, can you explain how you deduced that it was the root cause?
I wouldn't advise to delete a private key if you're not 100% sure you
need to.
Pki failing to start after an upgrade often happens when the certificate
"subsystemCert cert-pki-ca" stored in /etc/pki/pki-tomcat/alias does not
match the content of the usercertificate or description stored in
uid=pkidbuser,ou=people,o=ipaca.
flo
Thanks
_Uz
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
